6 The RAND Corporation is a nonprofit from

advertisement
THE ARTS
This PDF document was made available
CHILD POLICY
from www.rand.org as a public service of
CIVIL JUSTICE
EDUCATION
ENERGY AND ENVIRONMENT
HEALTH AND HEALTH CARE
INTERNATIONAL AFFAIRS
NATIONAL SECURITY
POPULATION AND AGING
PUBLIC SAFETY
SCIENCE AND TECHNOLOGY
SUBSTANCE ABUSE
TERRORISM AND
HOMELAND SECURITY
TRANSPORTATION AND
INFRASTRUCTURE
WORKFORCE AND WORKPLACE
the RAND Corporation.
Jump down to document6
The RAND Corporation is a nonprofit
research organization providing
objective analysis and effective
solutions that address the challenges
facing the public and private sectors
around the world.
Support RAND
Purchase this document
Browse Books & Publications
Make a charitable contribution
For More Information
Visit RAND at www.rand.org
Explore theRAND National Defense
Research Institute
View document details
Limited Electronic Distribution Rights
This document and trademark(s) contained herein are protected by law as indicated
in a notice appearing later in this work. This electronic representation of RAND
intellectual property is provided for non-commercial use only. Unauthorized
posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are
protected under copyright law. Permission is required from RAND to reproduce,
or reuse in another form, any of our research documents for commercial use. For
information on reprint and linking permissions, please see RAND Permissions.
This product is part of the RAND Corporation monograph series.
RAND monographs present major research findings that address the
challenges facing the public and private sectors. All RAND monographs undergo rigorous peer review to ensure high standards for
research quality and objectivity.
Implications of Aggregated
DoD Information Systems
for Information Assurance
Certification and Accreditation
Eric Landree, Daniel Gonzales, Chad Ohlandt, Carolyn Wong
Prepared for the United States Navy
Approved for public release; distribution unlimited
NAT IONAL DE FENS E RES EA RC H I NS TI TUTE
The research described in this report was sponsored by the United States
Navy. The research was conducted in the National Defense Research
Institute, a federally funded research and development center sponsored
by the Office of the Secretary of Defense, the Joint Staff, the Unified
Combatant Commands, the Department of the Navy, the Marine Corps,
the defense agencies, and the defense Intelligence Community under
Contract W74V8H-06-C-0002.
Library of Congress Cataloging-in-Publication Data
Implications of aggregated DoD information systems for information assurance
certification and accreditation / Eric Landree ... [et al.].
p. cm.
Includes bibliographical references.
ISBN 978-0-8330-4948-3 (pbk. : alk. paper)
1. United States. Dept. of Defense--Information resources management. 2.
United States. Dept. of Defense--Information technology. 3. Computer security-United States--Management. 4. Cyberinfrastructure--United States. 5. Computer
networks--Security measures--United States. 6. Computer networks--Certification-United States. 7. Computer networks--Accreditation--United States. 8. Information
technology--Security measures--United States. 9. Information technology-Certification--United States. 10. Information technology--Accreditation--United
States. I. Landree, Eric.
UA23.3.I47 2010
355.6'88011--dc22
2010004574
The RAND Corporation is a nonprofit research organization providing
objective analysis and effective solutions that address the challenges facing
the public and private sectors around the world. RAND’s publications do
not necessarily reflect the opinions of its research clients and sponsors.
R® is a registered trademark.
Cover photos: (top) U.S. Navy photo by Mass Communication Specialist 3rd Class
Joshua Scott; (bottom) iStockphoto.
© Copyright 2010 RAND Corporation
Permission is given to duplicate this document for personal use only, as long
as it is unaltered and complete. Copies may not be duplicated for commercial
purposes. Unauthorized posting of RAND documents to a non-RAND
Web site is prohibited. RAND documents are protected under copyright law.
For information on reprint and linking permissions, please visit the RAND
permissions page (http://www.rand.org/publications/permissions.html).
Published 2010 by the RAND Corporation
1776 Main Street, P.O. Box 2138, Santa Monica, CA 90407-2138
1200 South Hayes Street, Arlington, VA 22202-5050
4570 Fifth Avenue, Suite 600, Pittsburgh, PA 15213-2665
RAND URL: http://www.rand.org
To order RAND documents or to obtain additional information, contact
Distribution Services: Telephone: (310) 451-7002;
Fax: (310) 451-6915; Email: order@rand.org
Summary
The challenges associated with securing U.S. Department of Defense
(DoD) information systems (ISs) have grown as the department’s information infrastructure has become more complex and interconnected.
At the same time, the potential negative consequences associated with
cyber intrusions have become more severe, as demonstrated by the
recently publicized breach of computer networks at defense contractors
involved in the development of the F-35 aircraft (Gorman, Cole, and
Dreazen, 2009). An important question to consider is whether current information assurance (IA) policies and procedures are sufficient
to address this growing threat and well suited to address vulnerability
issues associated with highly networked ISs.
Presently, all DoD ISs must individually satisfy the certification and accreditation (C&A) requirements outlined in DoD Instruction (DoDI) 8510.01, “DoD Information Assurance Certification and
Accreditation Process (DIACAP)” (2007), prior to receiving authorization to operate (ATO). As written, the DIACAP is focused on conducting C&A for a single system.
As the number of individual DoD ISs continues to grow, and as
they become more interdependent and are integrated in more complex
ways (for example, using service-oriented architectures, or SOAs), the
time and resources required to complete the C&A process will also
increase. Similarly, the current C&A process, which focuses on the
individual, discrete IS, may overlook potential vulnerabilities introduced at the interface between an ever-increasing number of ISs and
by increasingly complex network connections. Therefore, DoD might
xi
xii
Implications of Aggregated DoD Information Systems for IA C&A
find it necessary to consider new policies and procedures for assessing IA C&A for heterogeneous and variable collections of networked
systems and components. The objective of this study was to determine
whether there were any existing DoD or other federal policies that
could prevent or inhibit the U.S. Department of the Navy from applying the DIACAP to an aggregate of ISs or systems of systems (SoSs)
that are colocated or operate on a common platform (e.g., Navy vessel
or aircraft). A revised C&A process that focuses on aggregates of ISs or
SoSs should ideally provide the transparency and situational awareness
sought by the current process, require fewer resources to conduct, and
identify potential vulnerabilities that exist at the interface between ISs.
We considered three levels of aggregation. The first was the full
aggregation approach (option 1), in which every DoD IS on the platform or at the location is aggregated into a single DoD IS. The second
was the partial aggregation approach (option 2), in which systems are
logically aggregated such that the final number of aggregate DoD ISs
is less than the original number of ISs. For the purposes of this policy
analysis, we aggregated DoD ISs by mission assurance category (MAC),
confidentiality level (CL), and mission criticality (MC).1 We used these
categories because of their relationship to the required IA controls and
the final accreditation determination. Further investigation would
be needed to determine the optimal set of categories for aggregating
DoD IS. The final case that we investigated involved no aggregation
(option 3), or what is essentially the current status quo defined in federal policy documents, in which each system is assessed and certified
individually. The final analysis for each of the three types of aggregation is shown in Table S.1.
The partial aggregation approach (option 2) identified fewer
potential policy issues and fewer implementation difficulties compared
to the full aggregation approach. Many of the issues associated with
implementing a partial aggregation approach could be addressed
with minor changes to the current DIACAP System Identification
1
See Appendix B for definitions of these three characteristics and their levels.
Summary
xiii
Table S.1
Assessment of Policy Issues Related to IS Aggregation
Degree of Aggregation
Full
Aggregation
Partial
Aggregation
No
Aggregation
Option 1
Option 2
Option 3
1. Initiate and plan IA C&A
–Register system with DoD
component IA program
–Assign IA controls
–Assemble DIACAP team
–Initiate DIACAP implementation
plan
2. Implement and validate assigned
IA controls
–Execute DIACAP implementation
plan
–Conduct validation activities
–Prepare POA&M
–Compile validation results and
DIACAP Scorecard
3. Make certification determination
and accreditation decisions
–Make certification determination
–Issue accreditation decision
4. Maintain authorization to operate
and conduct reviews
–Maintain situational awareness
–Maintain IA posture
–Conduct review (at least annually)
–Initiate reaccreditation
5. Decommission
–Retire system
No policy issues identified
No policy issues identified; potential
difficulties with implementation identified
Potential policy issue(s) identified
xiv
Implications of Aggregated DoD Information Systems for IA C&A
Profile (SIP) and the DIACAP Scorecard. It would also be necessary
to work with the White House’s Office of Management and Budget
(OMB) to determine the appropriate level of aggregation to meet OMB’s
Plan of Action and Milestones (POA&M) reporting requirements.
Under the current DoDI 8510.01, IA managers encounter difficult obstacles associated with monitoring IA situational awareness,
conducting IA control validation activities, summarizing validation
results, and attempting to preserve the IA posture of their systems individually and collectively as part of a larger SoS. The difficulty associated with these activities would likely persist even if an aggregate
DoD IS approach were implemented unless new standards for measuring IS security are developed, along with new techniques for monitoring, tracking, and validating IA controls. These techniques should
leverage methods derived from systems engineering.
We identified one potential policy issue for this approach that
would require significant modification to DoD policy. Specifically,
DoD policy does not currently allow for the decommissioning or the
modification of a portion of a DoD IS. It would be necessary to alter
existing policy to allow a component DoD IS that is part of a larger
aggregate DoD IS to be decommissioned or modified without the need
to also decommission or modify the larger aggregate DoD IS. Similarly, there is no method to verify the validity or accuracy of the C&A
assessment for a DoD IS with a component DoD IS that has been
decommissioned, modified, or removed. Currently, the only option is
to recertify the entire IS.
In the Navy, identical or nearly identical individual ISs are implemented across different platforms. According to current IA policy, each
instantiation of an IS should be certified and accredited independently.
The current approach is possibly justified by the fact that the configuration of individual ISs may vary across platforms. It should be noted,
however, that this heterogeneity potentially introduces IA vulnerabilities and complexity. Furthermore, the current approach may cause the
Navy to incur greater costs for the many individual IA certifications
required than if a common configuration of individual ISs were defined
and maintained across the Navy fleet and other platforms. Analysts in
the Navy and in DoD have started to develop concepts and approaches
Summary
xv
for defining common secure or trusted configurations for individual
ISs. Such a configuration can generally be characterized as the IA pedigree of an IS. Several definitions of IA pedigree have been proposed.
However, in order for the concept of IA pedigree to be applied effectively to IA C&A aggregation efforts, a precise definition is needed.
Based on our analysis of existing policies, we make the following
recommendations to enable an SoS approach to conducting IA C&A:
• Policy recommendations:
– Restructure the SIP and the DIACAP Scorecard described in
DoDI 8510.01 to allow them to track both component DoD
ISs and aggregate DoD ISs.
– In consultation with OMB, develop an acceptable level of DoD
IS aggregation, and develop a strategy for tracking information
security performance between the POA&M and DoD budget
documentation.
– Develop or adopt a common set of IS security metrics that can
be used to aggregate information assurance control validation
results across the full range of ISs.
– Develop specific guidance and policy for modifying or decommissioning components or subsystems of an aggregated DoD
IS.
• Implementation recommendations:
– Conduct a pilot project to investigate alternative approaches to
and categories for partial aggregation and to assess the potential benefits of IA controls and C&A procedures for an aggregated DoD IS or DoD SoS.
– Develop and refine a definition of IS IA pedigree that can be
used in the IA aggregation C&A process.
In this monograph, we define an IS IA pedigree as including an IS
configuration management plan and an IS IA control profile, as well
as other IA metrics. (For a detailed definition of an IS IA pedigree, see
Chapter Four of this monograph.)
Drawing from experience in other areas of systems engineering,
it is possible that an SoS approach to IA may improve overall IA per-
xvi
Implications of Aggregated DoD Information Systems for IA C&A
formance and enhance overall information security situational awareness, IA posture, and overall performance. However, this has yet to be
proven. Based on our initial analysis, a partial aggregation strategy that
used MAC, CL, and MC as the principal categories for aggregation
appears to present a reasonable first approach for achieving an aggregated C&A process and would require relatively few changes to the
current process outlined in DoDI 8510.01.
The current DIACAP process has been characterized as a significant improvement over its predecessor. However, it is not without its
own limitations. As DoD and the rest of the federal government move
toward a more decentralized, service-oriented architecture, the process of conducting IA C&A will become more daunting, and an everincreasing number of potentially critical IA vulnerabilities will likely
go unidentified until it is too late. Therefore, it is important for DoD to
investigate systems engineering methods and techniques to help ensure
the protection and availability of the nation’s critical communication
and information networks.
Download